(SS Global Privacy 
y Enforcement Network 


\ 


GPEN Report 


Resetting privacy’ 


UK Information Commissioner’s Office 


Contents 


SUMMANY cannes oO A 3 
o AR AA 4 
A A 5 
EII A AE A EE E TE A 7 
A 12 


Recommendatio0NsS..............oocoooccccnccnocnccnononcnononconcconcncnncnononoronconccoroncnnoronos 15 


Summary 


‘Resetting privacy’ is a Global Privacy Enforcement Network (GPEN) initiative, led by the UK 
Information Commissioner’s Office (UK ICO) to review if and how privacy enforcement and 
consumer protection authorities have changed their approach to regulation and 
enforcement during the COVID-19 pandemic, and whether they plan to ‘reset’ their 
approach as it subsides. 


This complements GPEN’s 2021 Sweep activity on whether COVID-19 solutions and 
initiatives implemented around the world have taken into account privacy considerations. 


Relevant data was gathered by conducting a survey of privacy enforcement and consumer 
protection authorities, and holding a virtual roundtable. 27 authorities from around the 
world responded to the survey and 17 took part in the roundtable. This report sets out and 
analyses the findings from this activity. Some of the key points are: 


e Almost half of participants reported that they made a change to their regulatory 
approach during the pandemic. 


e The most common change was an extension to time limits for responding to 
regulatory enquiries for organisations facing difficulties as a result of the pandemic, 
or providing front-line response to it. 


e The majority of authorities that made changes are undecided about if and how to 
revert to their pre-pandemic approach to regulation and enforcement. But some 
already have, or plan to do so dependent on infection rates, relaxation of restrictions 
and signs of economic recovery. 


e Although changes in approach were mostly modest, it is possible that diverging 
approaches to regulation and enforcement during the pandemic could lead to a lack 
of clarity amongst organisations around the expectations of the regulatory 
community. 


e Atthe same time, a combination of a perceived relaxation of regulatory rules and 
the increasing collection and use of data throughout the pandemic may be 
contributing towards a ‘new normal’ among organisations of less privacy-friendly use 
of data compared to pre-pandemic norms. 


e Some authorities raised the question of whether an adapted or enhanced approach 
to regulation would be necessary as the pandemic subsides in order to reaffirm 
privacy and data protection rights. 


To help address issues such as these and further support authorities in their considerations 
around approaches to regulation and enforcement as the pandemic subsides, this report 
recommends ongoing collaboration on this topic: within GPEN; between GPEN and the 
Global Privacy Assembly, and with consumer protection authorities via GPEN’s Network of 
Networks initiative. 


Introduction 


Background 


The Global Privacy Enforcement Network (GPEN) connects privacy enforcement authorities 
(PEAs) from around the world. Each year it undertakes several activities to promote and 
support cooperation in cross-border enforcement of privacy laws. 


One of the annual activities is the GPEN Sweep. This is a coordinated action to assess global 
privacy practices on a specific topic. In 2020-21, the global pandemic led the GPEN 
Committee to focus the Sweep on the extent to which COVID-19 solutions and initiatives 
implemented around the world had taken into account privacy considerations. 


‘Resetting privacy’ 


In parallel with looking outward at the practices of other organisations, the GPEN 
committee was keen to look inward at the effect of the pandemic on PEAs and others in the 
regulatory community. 


In addition to the Sweep, the UK ICO (a GPEN Committee member) therefore led ona 
separate but complementary COVID-19 activity to review how PEAs and consumer 
protection authorities have adapted their approach to regulation and enforcement during 
the pandemic, and whether they plan to ‘reset’ their approach as it subsides. We refer to 
this activity as ‘resetting privacy’. 


Aims 
Three key aims motivated the ‘resetting privacy’ activity; they were to: 


e assess if, how, and why PEAs and other regulators have adapted their approach to 
regulation and enforcement during the pandemic; 


e gauge if, how, and why PEAs and other regulators plan to ‘reset’ their approach to 
regulation and enforcement as the pandemic subsides; and 


e develop a shared understanding of this amongst PEAs and other regulators, to better 
inform individual and collective decision-making and messaging around regulation 
and enforcement during the pandemic. 


Approach 


Two methods were used to collect data for the “resetting privacy” activity. 
Survey 


First, a survey was circulated to all members of the following networks of data protection 
and privacy authorities: 


e GPEN 

e Global Privacy Assembly (GPA) 

e Common Thread Network (CTN) 

e Asia Pacific Privacy Authorities Forum (APPA) 


e Association Francophone des Autorités de Protection des Données Personnelles 
(AFAPDP) 


e Red Iberoamericana de Protección de Datos (REDIPD) 
To solicit responses from other relevant regulators in addition to PEAs, the survey was also 
circulated to consumer protection authorities via the International Consumer Protection 


Enforcement Network (ICPEN). 


The survey asked authorities to answer questions about three aspects of their regulatory 
approach and activity during the pandemic: 


e changes made to their approach to regulation and enforcement; 


e plans to maintain or ‘reset’ changes to their approach to regulation and enforcement 
as the pandemic subsides; and 


e trends in volumes and types of complaints and breach notifications. 
The survey was open for response between October 2020 and January 2021. 


Roundtable 


Second, to complement the survey, a virtual ‘resetting privacy’ roundtable was held in the 
margins of the 2020 GPA, attended by PEAs and consumer protection authorities. 


The format and focus of the roundtable mirrored the content of the survey: 


e thefirst half of the session provided a forum for participants to update on how they 
had adapted their approach to regulation during the pandemic; and 


e the second half of the session prompted participants to reflect on and discuss how 


they envisaged maintaining or ‘resetting’ their regulatory approach in a post-COVID- 
19 context. 


The roundtable took place on 27 October 2020. 


Survey 


A total of 27 authorities from Africa, Asia Pacific, Europe, and North America responded to 
the survey. Responses for each section of the survey are summarised below. 


Regulatory approach 

Just under half of respondents advised that their authority FIG. 1 - HAS YOUR AUTHORITY’S 
> . APPROACH TO REGULATING AND 

had made changes to its approach to regulation and ENFORCING DATA PROTECTION 

enforcement as a result of the COVID-19 pandemic (see CONSUMER PROTECTION] 

Fig. 1). For the authorities that did not make any changes, CHANGED AS A RESULT'OF THE 


COVID-19 PANDEMIC? 
40% discussed this, but decided against doing so. 


Where authorities did make changes to their approach, 
almost all indicated that for their internal processes, they 
were increasingly relying on digital technologies to 
perform some of their functions, and around a third 
explained that they switched to video teleconferencing to 
perform audits and inspections. 


In relation to their external posture, half of respondents 
that made changes to their approach indicated that they 
had extended the time limits for responses from organisations in relation to investigations, 
information requests or compliance orders. But only 15% of those authorities indicated that 
they had reprioritised or paused ongoing regulatory activity. 


Just 15% of authorities advised that the changes they had made had a ‘sunset clause’ or 
specific end date. The other 85% of authorities stated that the changes were either open 
ended or discretionary and would be applied on a case-by-case basis. 


The most common factors that influenced changes made by authorities were the 
publication of non-binding guidance by government, and a recognition of the operational 
and practical difficulties facing organisations during the pandemic. In addition, a quarter of 
authorities reported that changes made were influenced by observed shifts in public 
perceptions of privacy, and the temporary enactment of new laws in their jurisdiction. 


The majority of authorities that made changes to their regulatory approach communicated 
this to businesses and the public via their website, while a third of authorities advised that 
they had directly communicated with stakeholders via methods such as email and online 
consultation. 


Resetting regulatory approach 


The majority of respondents indicated that they did not yet know whether their authorities 
would revert to a pre-pandemic ‘business as usual’ approach to regulation and enforcement 


once the pandemic subsides, although just over a third of FIG. 2 - DOES YOUR AUTHORITY 


authorities reported that they either had already done so, PEAN TO REVERT TO SOME OR 
A ALL OF ITS 'BUSINESS AS 
or planned to. None of the authorities that responded to the USUAL' APPROACH TO 


3 x P REGULATING AND ENFORCING 
survey indicated that they had already decided not to revert DATA PROTECTION LAW ONCE 


THE PANDEMIC HAS SUBSIDED? 


or reset their approach (see Fig. 2). 


Of the authorities that reported they did intend to revert their 
regulatory approach, half indicated that this was because 
they either did not make any changes, or the changes were 
relatively modest and they had already reset to business as 
usual. The most common aspects of their regulatory 

approach that authorities indicated they either already had, 
or planned to reset, were time limits for responses from 
organisations to formal enquiries and the reintroduction of in- 
person regulatory activity (such as on-site monitoring and 
inspection of data processing activity). Nevertheless, some respondents 

also noted that they would likely maintain some digital aspects of the approach adopted 
during the pandemic in order to continue to benefit from the ability to conduct certain 
activity remotely, such as video interviews in investigations. 


No 
0% 


Most authorities that had reverted, or planned to revert, their regulatory approach, 
reported relatively simple reasoning for doing so: a normalised landscape / society should 
be reflected in a return to normalised regulation. Some authorities also highlighted a need 
to adhere to their core regulatory purpose or statutory function as an influencing factor, 
namely upholding information rights and reducing privacy risks for individuals. 


The most common factor cited by authorities as an indicator for when it would be 
appropriate to begin the process of reverting regulatory approach was falling infection 

rates, followed by: relaxation of restrictions; signs of economic recovery; and government or 
public health guidance. One authority reported that they may revert their approach on a 
case-by-case basis to take into account an organisation’s unique situation and capacity to 
engage with them. 


In terms of communicating a return to business as usual approach to organisations and the 
public, most authorities reported that they would use their websites and social media 
accounts. Some reported that they would also engage directly with certain organisations or 
industry bodies on a targeted basis. 


When asked whether cooperation with other authorities would be beneficial in informing 
their own planning for regulation and enforcement as the pandemic subsides, over 95% of 
respondents indicated that they thought it would be. The three types of cooperation to 
facilitate this most commonly selected by authorities were: information sharing via the 
GPEN website; opportunities for knowledge sharing across regulatory regimes; and 
conference calls (see Fig. 3). 


Fig. 3 - Would your authority find cooperation with other authorities beneficial in helping to 
evaluate and plan its approach to regulating and enforcing data protection law as the 
pandemic subsides? If so, how? 


[Participation in a dedicated GPEN Working Group 
[Sharing information on a dedicated section of the GPEN website 
Opportunities for cross-regulatory knowledge-sharing (e.g. quarterly) 


[Regular conference calls with interested authorities 


100 Ø More granular surveys 
90 [Other 
80 


Percentage of authorities 


: pugo- 


Complaints and breaches 


Around two thirds of authorities indicated that they had not noticed any new or emerging 
trends in the volume or type of complaints received during the pandemic, and the majority 
of respondents stated that they had not seen any changes in the volumes of personal data 
breaches reported to them (see Fig. 4). 


Of those that indicated there had been a change in the volume of complaints received, 
while most reported an increase, just under half noted that they had actually seen a 
decrease, either initially, or throughout the pandemic. 


Where changes to the type of complaint received were reported, almost all authorities 
advised that these related to the pandemic, such as complaints about: contact tracing 
(including processing of children’s data); inappropriate disclosure of test results; and, in a 
consumer protection context, cancellation of flight, venue and accommodation bookings. 


Of the small proportion of authorities that saw an increase in the volume of personal data 
breaches reported to them, over half indicated that these related to cyber-attacks or 
phishing-attacks. 


FIG 4 - HAS YOUR AUTHORITY NOTICED ANY NEW OR EMERGING TRENDS IN THE FOLLOWING AREAS SINCE THE PANDEMIC BEGAN? 


THE VOLUME OF THE TYPE OF COMPLAINTS THE VOLUME OF PERSONAL 
COMPLAINTS DATA BREACHES 
No No A 
0 
63% 67% 


Roundtable 


17 authorities from Asia Pacific, Europe, North America and South America attended the 
roundtable. Discussions from the session are summarised below. 


Regulatory approach 


Some authorities reported changes they had made to their regulatory approach as a result 
of the pandemic, including: extending time limits for organisations to respond to enquiries 
or report breaches; allowing organisations to conduct expedited privacy impact 
assessments; and adopting a less prescriptive, more principles-based, interpretation and 
application of data protection law. One authority noted however that they also had to work 
with organisations, in particular public health authorities, to clarify that measures adopted 
in response to the pandemic could not simply supersede data protection and privacy 
obligations. 


However, fewer than half of participants reported making changes to their regulatory 
approach. Rather, participants explained that they had been supportive and had taken an 
enabling approach to organisations facing difficulties during the pandemic, but had stopped 
short of making tangible and externally visible changes to their regulation and enforcement. 


More common amongst the participants were reported changes to internal ways of working 
within authorities in order to adapt to the novel circumstances of the pandemic. Changes 
included reprioritisation of work to free up resource to focus on issues raised by the 
pandemic, and increased use of digital technologies to support day-to-day remote working 
and for use in fulfilling regulatory duties. 


Resetting regulatory approach 


Where participants reported that they had made changes to their approach to regulation 
and enforcement, they generally indicated that as the pandemic subsides, they also planned 


10 


to revert to their pre-pandemic approach, for instance by reaffirming to organisations the 
need to adhere to privacy-by-design and carry out comprehensive privacy impact 
assessments. 


When considering post-pandemic approaches to regulation, several authorities noted a 
greater prominence given to data protection and privacy during the pandemic, and an 
increased awareness amongst the public of data use and rights. 


It was recognised by some participants, however, that despite this increased awareness, the 
pandemic has accelerated digitalisation trends and thus increased privacy risks to 
individuals. As a result, legislative and regulatory approaches may need to be enhanced or 
augmented by guidance in order to return privacy as a human right to its pre-pandemic 
status and support responsible innovation and data use by organisations. 


As regards internal ways of working, many authorities reported that they were likely to 
retain some practices they had adopted during the pandemic due to their positive impact. 
This included increased engagement and collaboration with the public sector and use of 
digital technologies to support remote working. 


Complaints and breaches 


Several authorities noted seeing an increase in complaints received, especially at the outset 
of the pandemic, and one reported that complaints had doubled compared to the same 
period the previous year. Where complaints increased, almost all authorities advised these 
related to the pandemic, including: data sharing in educational settings; contact-tracing; 
and, in a consumer protection context: scams, cancellations, and price gouging. 


Analysis 


The findings raise some interesting questions about the differing regulatory approaches 
adopted by authorities during the pandemic, and the impact of those changes — and the 
pandemic itself — on the privacy and data protection landscape as the pandemic subsides. 
Some of the key themes and questions raised are summarised below. 


A lack of clarity? 


Most authorities that took part in the survey and roundtable reported that they did not 
make changes to their approach to regulation and enforcement during the pandemic, but 
this was only a slim margin: there was a relatively even split between those that did and did 
not make changes. There are several possible reasons for this divergence including the 
differing spread of the pandemic across jurisdictions; the severity of the restrictions 
imposed and resulting impact on organisations; the historic regulatory approach adopted by 
authorities; and potential variance in the cultural and legal significance of data protection, 
privacy and broader consumer rights. 


But regardless of the reasons, the fact that authorities have taken and communicated 
differing approaches to regulation and enforcement during the pandemic, even if the 
changes made were relatively modest in practice (e.g. extending time limits, pausing 
regulatory activity) , could create confusion or a lack of clarity around the ongoing 
expectations the regulatory community has for organisations’ handling of personal data. 
Moving forward, it may help for authorities to consider this as they engage with 
organisations, especially those operating across several jurisdictions. There is potential 
scope for GPEN members, and others, to work together on myth-busting and reaffirming 
organisations’ data protection and privacy obligations as the pandemic subsides. Looking 
beyond the pandemic, there may also be opportunity to reflect and consider possible 
coordinated or common approaches to regulation and enforcement in the event or similarly 
exceptional global situations that may arise in the future. 


A new normal? 


Where authorities made externally-facing changes to their regulatory approach, these 
tended to focus on an extension of time limits or minor adjustments to rules, in order to 
support organisations facing difficulties as a result of the pandemic, and those providing 
front-line services in response to it. These changes were predominantly around easing 
administrative burdens to take account of the extraordinary circumstances, without 
undermining the core principles of data protection and privacy which still applied in full. 
While this is the case, there is a potential risk that this change in approach could have been 
interpreted more broadly by organisations outside that specific context as a relaxation of 
the rules and an implicit acceptance of a more flexible and selective approach to compliance 
with data protection, privacy and consumer protection obligations. 


At a time when digital services are necessarily being used more than ever before (including 


by regulators), and more data is being observed, collected and shared, there is the 
possibility that the perception of a lighter-touch regulatory regime may lead to a ‘new 


12 


normal’ of data use that is more privacy intrusive than pre-pandemic norms. Indeed, one 
authority reported the need to correct an assumption in the public sector that measures to 
deal with the pandemic could supersede data protection obligations. 


Of course, there are limitations to the methodologies used for this activity, including the 
questions that were and were not posed to respondents. As such, it is possible that 
authorities are individually or collectively alive to this issue and may have mitigated or 
dismissed it as low risk. But if not, authorities may wish to consider the extent to which the 
post-pandemic privacy and consumer protection landscape will actually mirror the pre- 
pandemic ‘normalised’ status quo (as some authorities indicated they expected it would), 
and if not, what the implications could be for regulatory approach. 


Changing attitudes? 


Authorities that participated in the roundtable session noted an increase in awareness of 
privacy and data protection rights amongst the public during the pandemic. But in parallel 
some authorities also acknowledged that perceptions of privacy may have shifted, with 
some people more permissive about the use of personal data and the perceived necessary 
trade-off between privacy and data sharing, especially for public health purposes. The 
differing reports from authorities in this initiative mean that the extent to which public 
attitudes on data protection and privacy may have changed as a result of the pandemic, and 
the direction of any change, is unclear. 


It may therefore be beneficial for authorities to consider how they might engage with the 
public (both at a national and global level) to gauge their opinion on data protection, privacy 
and acceptable use of data as the pandemic subsides. This could help better inform 
decisions on post-pandemic regulatory approaches including whether a straight-forward 
reaffirmation of privacy and data protection rights and obligations is appropriate, or if public 
attitudes might indicate a need for a degree of reinterpretation those rights and obligations 
as well. 


Resetting or adapting? 


Most authorities that responded to the survey indicated that they had not yet made a 
decision on whether to reset their approach to regulation and enforcement as the pandemic 
subsides, but for those that had, there was a general consensus of resetting the approach to 
that of a ‘normal’ pre-pandemic status. However, this contrasts with discussion among 
some roundtable participants who took the view that regulatory approaches may need to 
be adapted to reaffirm or refresh privacy rights and awareness post-pandemic, and to more 
proactively monitor the ongoing effectiveness of data intensive COVID-19 measures, the 
necessity and proportionality of continued use of data, and adherence to data retention and 
sunsetting clauses. 


These differing findings may be the result of the research methods used, with the 
roundtable potentially providing space for the emergence of more nuanced views than the 
written responses to the standardised questions in the survey. Nonetheless, some 
authorities remain uncertain on their post-pandemic approach to regulation and 


13 


enforcement, and are at varying stages of a challenging decision-making process, with 
multiple factors to take into account and several possible options with which to move 
forward. 


Additionally, since carrying out the ‘resetting privacy’ activity, the fluid and fast-moving 
context of the pandemic has resulted in: new and more contagious variants of COVID-19; 
vaccine roll outs and associated use of data such as ‘vaccine passports’; and further waves 
of infections resulting in differing stages and levels of restrictions around the world. What 
one might consider as the ‘end’ of the pandemic is perhaps even less clear and more 
difficult to determine than it was before the ‘resetting privacy’ activity took place. It would 
appear therefore that further collaboration and coordination would be beneficial for 
authorities to help support each other as they consider their regulatory approach and 
navigate out of the pandemic. This is reflected in the survey respondents' near unanimous 
support for continued cooperation on these issues. 


Recommendations 


As identified in the findings and analysis sections of this report, there appears to be clear 
appetite for, and benefits to, ongoing cooperation in the privacy, data protection and 
consumer protection regulatory communities in order to surface and collectively address 
issues, and identify reasoned and appropriate approaches to regulation and enforcement in 
a post-pandemic world. 


In order to facilitate further cooperation, this report makes the following three 
recommendations: 


1. Collaboration within GPEN — Recommendation for the GPEN Committee and 
members to establish, promote and actively use a dedicated thread in its online 
discussion forum to share documents or opportunities relevant to post-pandemic 
regulation and enforcement, including: 


o Internal enforcement-related policy development and decisions; 


o relevant information from external sources, including reports, articles and 
surveys; and 


o potential coordinated activity, such as public / industry engagement or joint 
statements. 


2. Collaboration with the GPA — Recommendation for the GPEN Committee to reach 
out to any relevant Working Group at the GPA to explore how the networks may be 
able to collaborate on the topic of post-pandemic regulation and enforcement, 
including consideration of a joint roundtable or event. 


3. Collaboration across regimes — Recommendation for the GPEN Committee to reach 
out to ICPEN through the Network of Networks to share learnings from 
recommendations 1 and 2, and invite respective updates from the consumer 
protection regulatory community. 


15 


